Living on a prayer: SMB bug from WannaCry attack, still not being patched
Are we on the cusp of another attack with a scale as devastating as Wannacry’s?
On 8th August, 2017, Microsoft had released a security patch including 48 fixes, 25 of which are deemed ‘critical’. Especially severe, is one CVE-2017-8620 which affects all current versions of Windows and which enables the spread of threats between computers in the network.
An article on Threatpost.com reported, “The bug in Microsoft’s desktop search utility (CVE-2017-8620) allows an attacker to elevate privileges and remotely run arbitrary code. It affects all supported versions of Windows and Windows Server, and it can leverage SMB to remotely trigger the vulnerability.
SMB v1 or Server Message Block is the same attack vector used in the WannaCry and NotPetya attacks, giving an already hypersensitive user base more anxiety, the website further reported.
Barracuda Network’s Product Manager, Tushar Richabadas commented, “Yes, it is fully possible that more attacks can happen, and have the same impact as Wannacry.
“The whole issue lies in the fact that software is pretty much always going to have vulnerabilities that can be exploited. Additionally, many organisations do not fully protect their network and deployments, leaving significant holes that can be exploited!”
More threats in the pipeline… from another vector
So yes, concerns by a hypersensitive base of SMB users aka potential victims, are substantiated, but the bad news does not end there.
Tushar also drew attention to how vulnerable software can be, when he shared the results of an Internet-wide scan done by security researchers at Rapid7, a provider of IT insights solutions.
The results showed over 11 million devices with 3389/TCP ports wide open online, with 4.1 million of these, speaking the RDP or Remote Desktop Protocol.
The purpose of this protocol is to enable remote management, as well as for remote access to virtual desktops, applications and an RDP terminal server.
An article by Catalin Cimpanu at BleepingComputer.com shared that RDP is one of the enterprise world’s favourite remote management tool. However, it is also a favourite method for delivering ransomware, according to a report by Webroot in March 2017, and this method is now topping spam campaigns.
There are many reasons why so. For one, the usage of an encrypted channel, is mistakenly thought to provide enough protection. It actually does not. Also, RDP machines are mostly left unprotected without a firewall, authentication or a strong password.
A pattern of challenges emerges
Tushar pointed out, “The part where organisations have to secure their networks and applications against zero-day attacks is especially important.
“These days, many malicious actors wait for the disclosure of a fix for a vulnerability, and then exploit it, because they know that organisations are slow to patch.”
The last time a vulnerability with global-scale consequences, was discovered, it was March 2017 and the vulnerability was called ‘Eternal Blue’. Two months after Microsoft released the patch for that exploit, WannaCry happened, impacting thousands of organisations across over 100 countries.
We hear that some organisations can’t afford the downtime that comes with patching, especially when mission-critical workloads are involved.
Experienced IT security professional, Mahathir Abdul Malek, explained, “If you ask me, patching is the most important thing to be aware of, during high alert of potential attacks.”
However, he said analysis of patches is also important. These are steps taken to understand what the patch is for, and what its impact on the IT environment would be. Analysis will also provide information whether IT need to patch immediately or wait for its patch cycle.
“Basically, we need to read about it, test it in staging, and then plan for deployment.
“It’s tedious, but that’s how it should be.”
He added, that some of the patches also do require downtime.
“Basically, you don’t want to have downtime every week,” he observed, inadvertently also voicing out the main reasons why many users do not, or are slow, to patch, their systems.
However, in essence…
An IT professional and practitioner who refused to be named, explained that SMB v1 allows the remote creation of exploits from vulnerabilities ie. CVE-2017-8620.
This journalist is aware of at least one organisation that has not patched and disabled SMB v1, despite that vulnerability being responsible for WannaCry spreading so quickly. The conclusion by other security experts is that less than 10-percent of users have patched the SMB v1 bug.
The IT professional who is close to the matter of the unpatched organisation, also opined, that as of now, there are no known exploits of the Windows Search vulnerability, and that if there were any exploits in an enterprise scenario, “…the vulnerability can be remotely triggered and the target host remotely controlled through an unpatched SMB v1 connection!”
He advised that antivirus solutions that block viruses like WannaCry, may be too late, and the best approach is to apply Microsoft’s latest patches.